Troubleshooting FTP related issues on IIS 6.0
Troubleshooting FTP related issues on IIS can be a real pain. If you have not encountered so far you are lucky:-)
What I do generally is to create a new FTP site and make it to work rather than working on the already corrupted site. It depends on your personal choice depending upon how much you want to invest.
Here I will be talking about some issues and relevant troubleshooting that you can do to resolve the issue.
To start with, there are three modes in IIS 6.0 using which you can setup an FTP site. Now these modes are different isolation levels for FTP users such that they can access only restricted folders within their dedicated home directory and sub-directories.
These are:
1. Do not isolate users (This is same as the only mode available in IIS 5.0)
2. Isolate users (This is applicable for local as well as domain users, and is not integrated with Active Directory (AD))
3. Isolate users using Active Directory (Also called Active directory user isolation mode, applicable only for AD users, integrated with AD)
Here is the Screen shot of the options available when you create a new FTP site.
1. Do not isolate users (Users can access the FTP home directory of other users)
Now in the first mode (Do not isolate users) there is a security risk wherein unauthorized access is possible since FTP do not provide any mechanism to isolate users by itself. You will have to make sure the NTFS permissions (ACLs) are properly set to deny unauthorized users. The wizard clearly shows that users can access the FTP home directory of other users.
***In IIS 6.0 with an FTP site running in the above mode, users may not be able to logon directly to the root folder of the FTP site. Instead they may be automatically routed a folder created just for them under the FTP root. Now this is by design and it may happen when there is a sub-folder inside the FTP Root folder that matches the users' alias (logged-on username). In such a case they will automatically be placed into that folder upon logon.
To work around this behavior, it is necessary to place another folder level between the users and the Root folder of the FTP site.
2. Isolate users
This is one of the new FTP modes available in IIS 6.0 (not available in IIS 5.0) wherein users can be isolated from each other by FTP itself and they will be taken directly to their home directory instead of the FTP root directory. This mode can be set for local as well as domain user accounts. However you need to ensure that we have proper directory hierarchy maintained for each user from the FTP root onwards. I will shortly show you how. Any user who has logged on to his/her FTP home directory won't be able to access the home directory of other users provided you restrict them using NTFS permissions.
If you want to have an FTP site for local user accounts and want isolation such that users should be taken directly to their home directory here is the hierarchy you need to follow:
Let's assume the root directory for the FTP site is C:\FTPRoot (You may change it to whatever location you want). Now you need to have a folder named "LocalUser" just underneath the FTP root directory. And under this folder (LocalUser) you need to add sub-folders for different users. Remember to have the name of the sub-folder same as the local user account. And for domain users you need to create a folder with the same name as the <domain> and under it you need to create sub-folders for every domain user.
Pictorially it should be like this:
Here I have the domain name as Saurabh1.com.
So I have the following folders for my FTP site based on the users.
ftpuser1 and ftpuser2 are local user accounts and saurabh1\domainuser1 and saurabh1\domainuser2 are domain user accounts.
Also notice that if you allow anonymous access to the site you need to have a public folder inside the LocalUser folder as shown above.
Also you can have as many virtual directories as you want under the FTP site for various users. Whenever the user logs on to the site with their credentials they will be taken to their own respective folders.
If you look into the screen capture below a user cannot go above his/her home directory. User will be confined to their own folder or sub-folders.
Also it is recommended to ensure we have proper NTFS permissions set in place. Do not allow access to any other account except administrator/System to the user's folder. Obviously user should have the necessary permissions dedicated to him/her on that folder. If you have Anonymous account enabled users will be taken directly to the public folder (to be more precise it depends upon the FTP client in use. FTP.exe will prompt you to enter the username/password whereas IE will directly take you to the public folder).
3. Isolate users using Active Directory (AD) isolation mode
Here are the steps for AD isolation mode. It is not meant for local users account and only for Active directory users. Please follow the steps carefully since AD isolation mode issues can be a bit tricky to resolve :-)
Here below add the domain admin account and make sure you click on Browse to select the user account and not just manually type it.. I have a reason for asking that.
Create Virtual directories for each of the domain accounts that will be used for accessing the FTP site. Be sure to name the virtual directory identical to the
username of the user who will be logging in. For instance, the user account of User1 will need a virtual directory named User1. Please remember that it is not a must to have a separate virtual directory for all the users under the root FTP site. Based on the commands mentioned below, users will be automatically taken to their respective folders and they need not have a Virtual directory created under the FTP site.
Then, Run the IISFTP.vbs script as below:
In a command prompt, navigate to C:\windows\system32 and run the VBScript iisftp.vbs twice (with different arguments shown below) for each user that will need access to the FTP site. This will do the necessary changes to the user account in AD's LDAP database.
[Words underlined are your variables]
For user1:
C:\windows\system32> Cscript iisftp.vbs /setadprop domainuser1 ftproot C:\ftproot\adroot
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
The value of ftproot for user domainuser1 has been set to C:\ftproot\adroot
C:\windows\system32> Cscript iisftp.vbs /setadprop domainuser1 ftpdir folder1
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
The value of ftpdir for user domainuser1 has been set to folder1
[Remember in the above command for ftpdir you need to set the folder name for the user account and not the complete path i.e. although the user's directory is set to C:\ftproot\adroot\folder1, you should mention "folder1" in the command as mentioned above and not the complete path].
ftproot specifies the complete path for the parent folder (root) and ftpdir specifies the name of the user's folder. Here if you had a remote UNC share for the FTP contents you can change the command to, Cscript iisftp.vbs /setadprop domainuser1 ftproot \\ftpserver\ftproot\adroot
Similarly for user2:
C:\windows\system32> Cscript iisftp.vbs /setadprop domainuser2 ftproot C:\ftproot\adroot <---[It can be a different location other than the ftproot for user1]
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
The value of ftproot for user domainuser2 has been set to C:\ftproot\adroot
C:\windows\system32> Cscript iisftp.vbs /setadprop domainuser2 ftpdir folder2
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
The value of ftpdir for user domainuser2 has been set to folder2
Now before you try accessing the site using account domain\username ensure that you have the necessary folder hierarchy in place as set up in the above commands, i.e. if you do not have an existing path C:\ftproot\adroot\folder1 you will get the following error message:
User Saurabh1\domainuser1 cannot log in, home directory inaccessible.
Login failed.
Also in an AD isolation mode you won't see the option to allow anonymous connections. Check the difference between an AD isolated site and a non-AD isolated site. Notice the number of tabs in each.
If you already have an FTP site and you don't know the isolation mode for it you can open the metabase.xml file from C:\windows\system32\inetsrv and search for the tag UserIsolationMode and check its value.
FTP site having mode as:
- Do not isolate users (this is same as the only mode available in IIS 5.0) ---------> will have UserIsolationMode set to 0
- Isolate users (this is applicable for local as well as domain users) -----------> will have UserIsolationMode set to 1
- Isolate users using Active Directory (also called Active directory user isolation mode, applicable only for Active directory users) -----> will have UserIsolationMode set to 2.
Checklist:
When you try to visit an AD isolated FTP site from a command prompt, you may receive the following error message:
530 User <Domain>\<UserName> cannot log in, home directory inaccessible.
Login failed.
This problem can occur because of any one of the following reasons:
- The msIIS-FTPDir or msIIS-FTPRoot properties for the User Account that is trying to access the FTP site are not configured in the Active Directory.
Make sure that msIIS-FTPDir and msIIS-FTPRoot properties for the user account are configured properly. To do this, open up a command prompt on the IIS server and browse to C:\Windows\system32 folder. Run the following commands:
C:\WINDOWS\system32>cscript iisftp.vbs /GetADProp <username> FTPRoot
C:\WINDOWS\system32>cscript iisftp.vbs /GetADProp <username> FTPDir
If you get a valid FTPDir and FTPRoot returned as a result of this command, which means these properties are set correctly. The actual path of the user's folder will be <FTPRoot>\<FTPDir>. If the result of either of the commands is something like
The value of FTPDir for user <username> is:
null
This means that the FTPDir and FTPRoot are not set correctly. You can set them as mentioned some way above.
- The account that is set in the IIS Metabase as the ADConnectionsUserName key for the FTP site is having some issues.
It may have been locked out or is not having enough permissions to query the Active Directory. The password for account connecting to AD in ADConnectionsPassword may be incorrect.
Make sure that the password is correct and that the account is not locked out. Also ensure that the account that is configured here has enough permissions to query the Active Directory.
To check the username and password set in the metabase, run the following commands:
C:\Inetpub\AdminScripts> Cscript adsutil.vbs get msftpsvc/<FTP site identifier>/ADConnectionsUserName
C:\Inetpub\AdminScripts> Cscript adsutil.vbs get msftpsvc/<FTP site identifier>/ADConnectionsPassword
[You may find the password in encrypted format like ************. In such a case you need to modify the adsutil.vbs file to get the exact password. Open Adsutil.vbs in notepad from the above location and search for the function "IsSecureProperty(ObjectParameter,MachineName)".
In this function IsSecureProperty(ObjectParameter,MachineName), you will find the following code:
Function IsSecureProperty(ObjectParameter,MachineName)
On Error Resume Next
Dim PropObj,Attribute
Set PropObj = GetObject("IIS://" & MachineName & "/schema/" & ObjectParameter)
If (Err.Number <> 0) Then
ReportError ()
WScript.Echo "Error trying to get the property: " & err.number
WScript.Quit (Err.Number)
End If
Attribute = PropObj.Secure
If (Attribute = True) Then
IsSecureProperty = True <--------
Else
IsSecureProperty = False
End If
End Function
In the highlighted line above, change the value to False, save and now rerun the adsutil.vbs command and you should see the actual password]
- IIS server is not able to contact the Active Directory.
=================================================XXXXX=====================================================
We have seen a lot of confusion among people related to Active and Passive modes in an FTP site. I was intending to write a post on it but luckily though I found a very good article on the net. You can check this if you have some confusion on Active versus Passive FTP modes.
Ftp.exe in Windows is an active mode FTP client and IE by default is a Passive mode FTP client. You can change the settings for IE as per this KB323446
Comments
Anonymous
January 11, 2008
PingBack from http://msdn.blogsforu.com/msdn/?p=3446Anonymous
March 12, 2008
Let's consider a scenario wherein we have an FTP site hosted on an IIS Server and we are trying to setupAnonymous
March 12, 2008
Let's consider a scenario wherein we have an FTP site hosted on an IIS Server and we are trying toAnonymous
January 02, 2009
The comment has been removedAnonymous
July 02, 2009
Hello! I have read your posts here and I found most of them very interesting and helpful. Thank you for your time writing down these answers. There is one question I would like to ask you, tough. I have an IIS FTP server running, in non-isolation mode (1st choice in the menu above) and I need to set a default domain logon name for my users logging in, so that they do not need to type in "DOMAINuser", just "user". How can I manually configure this? My IIS 7.0 server (with oldIIS 6.0 FTP service) does not run the old iisftp.vbs scripts.. I just need to know what configuration to set in metabase.xml, nothing else :) Thanks, Ivo Pereira IT Consultant PortugalAnonymous
July 06, 2009
Thanks for appreciating my posts :-) Let me know if this works out for you http://support.microsoft.com/?id=184319Anonymous
July 19, 2009
Very userful, Thank you very much.Anonymous
December 29, 2009
This document saved the day for me. Brilliant trouble-shooting tips. Hi5 Saurabh. Chak de PhatteAnonymous
July 17, 2013
When i upload data on FTP Client it complete 65%, some time 19% and then its restart from zero.I want to use resume option but its not working and provide same result as that start from zeroAnonymous
April 26, 2017
You are awesome! I have been trying to find out how to get user isolation working and didn't realize I needed subfolder of LocalUser.Thank you! ! ! !